DRJ Blogs

We used to call the Internet the “information super-highway” back in the day, when connections were slow, bulletin boards and gopher were about as techie as it got. Those days are long gone, but something of the ‘highway’ has remained, like a bad smell, one that has come back to haunt us in 2017… The highway robber!

The person who went about their villainy on the trade routes and highways of the world, extorting money and valuables from unsuspecting travellers with a simple threat –– ”your money or your life” –– reinforced of course with the trademark flintlock pistol and sabre.

Today’s highway robber is a lot more sophisticated and savvy. They take far less risk and turn to the latest technology to extort you out of your money by threatening your valuables. In this case your data, your technology and most probably your computing ability.

Welcome to the first in our three-part series on business continuity planning headaches and how you can use the KingsBridge Shield solution to resolve them. Today "BCP plan access" is the focus. Making sure those that need it have it, while also ensuring that access to sensitive information remains restricted.

BCP Headache - #1 Keeping current copies of the plan in the hands of those that need it.

Access to a business continuity plan is critical when disaster strikes. To ensure this, many companies periodically print and distribute their plans to their recovery team members. A wide plan distribution is great to make sure everyone has the information they need. There is risk however, when old copies of the plans remain in circulation.

Shield’s web-based solution eliminates the risk of those old, stale copies floating around while ensuring that users have access to the latest and greatest plan information. All plan changes are immediately reflected in the plan for all users with access to view them. No need to print and distribute.

As covered in our last post, Records Management for BCP, one of the most challenging and yet critical elements of your business continuity plan (BCP) is records management. In this follow-up post, we’ll look at how KingsBridge Shield helps you to secure documents that are most critical to your business’ recovery.

Safe and Secure Documents Storage

When it comes to business continuity, documents needed to help recover the business have to be safely and securely stored. Many of our clients initially put a lot of faith in their IT department’s backups. They know the data is backed up and therefore feel that having a copy stored elsewhere is unnecessary. However, backup does not mean instant access. Recovery of electronic document storage takes time. Once documents are recovered, user access may be limited due to connectivity with the recovery location.

Shield provides a secure, web-based solution that supports the storage of critical documents independent of your company’s servers. The Shield mobile application syncs with the web application placing an additional off-line copy of these documents on your phone. No internet? No problem. Your phone will have all the documents you need.

Most of the organizations are now developing and using web applications to do their business online. This shift in the style has undoubtedly eased the way to do the business, but at the same time has exposed critical business and customer data to security threats. Recent report of Verizon Data Breach Investigation (2017) suggests that a good percentage of breaches were associated with web applications.

Some of these threats have now been addressed by various automated scanners which provide a robust detection of security vulnerabilities. However, it is still important to understand such vulnerabilities before we can resolve the danger posed.

Open Web Application Security Project (OWASP) is a group that works towards defining security recommendations, specifications, and explanations in key areas. This group was initially created as a project to define testing standards for web applications security. The specialized project concluded that purchase of dedicated software tools can make the web application immune to security breaches. Apart from this, OWASP published and drafted ‘Top 10 Security Vulnerabilities List’ for any web application.

Whether you’re implementing or just refining your disaster recovery (DR) process, one of the most important things to consider is your team. Depending on the people at the helm, your efforts will either be thorough and coordinated, or incomplete and disjointed. To start off on the right foot, you’ll need to assemble a knowledgeable group whose areas of expertise cover all the necessary bases.

Below is a list of roles that, in our view, are instrumental to the success of disaster recovery planning. Note that in your organization these roles may not be clearly defined yet (there may not be anyone who currently holds the title Disaster Recovery Coordinator, for example), but these roles should be assigned before the process begins.

Key Roles & Responsibilities For The Disaster Recovery Planning Team

Your disaster recovery planning team should consist of the following:

Management Steering Committee

Executive team members who oversee the process are involved at a high level, which means they may not technically need a seat at the table—but they should be standing in the room. They play an important role when it comes to approvals for things like budgetary issues, policy considerations, strategic direction, and overcoming roadblocks or intradepartmental issues. These individuals might be part of an existing business continuity oversight committee, or form a separate disaster recovery steering committee, depending on the organization.

Records management is an ongoing struggle for many businesses, especially when it comes to Business Continuity Planning (BCP). Every time we go to a client site we get asked about what to do with all of the information the business generates. Where should it be stored? How should it be accessed, and by whom? And how do we know it’s up to date? In this post we are highlighting a few tips and tricks for records management to help your business easily survive the next disaster.

What is a record?

Let’s start with the basics. What are we actually talking about when we say ‘record’? Most often a record is a set of printed documents that are kept in file folders or binders. But don’t be fooled! Records also include anything written in employee notebooks, or post-it notes at people’s desks. In short, anything written down for your company is a record. And that’s just hard copy.

There are also electronic records. Most often people think of anything that is generated in any of the Microsoft Office suite of programs (like Word, Excel, PowerPoint, etc.). These records also include pictures, any emails sent or received to the company email address (and yes, attachments too), as well as anything sent or received in instant message programs used by your business.

Plans should not be the only goal of Business Continuity Management (BCM) programs. The true end-state of BCM should be to assure that your organization can successfully manage itsresponseto any disruption, the goal of Incident Management.

An Incident Management focus has 4 components:

Planning– More than just BIAs and Risk Assessment, planning is the process of gathering, analysis and presentation of data crucial to Incident Managers’ and senior executives’ Decision Support. These include: assessment of current capabilities, vulnerabilities, gaps, single points of failure, process and IT services critical resources, RTO’s and RPO requirements.

What can we learn from Lac Mégantic

In July of 2013, the deadliest Canadian rail accident since 1867 occurred in Lac Megantic, Quebec. A series of errors resulted in a train carrying crude oil to roll downhill before derailing in the town of Lac Megantic. The accident resulted in:

63 derailed rail cars

47 deaths

2000 people forced from their homes

4200 people impacted

30 buildings destroyed

multiple criminal charges

$460 million dollars in settlements (and ongoing legal battles)

While it might be tempting to assume an accident of this magnitude is the result of a single large error or mechanical failure, this was not the case. Investigators identified 18 causes and contributing factors that led to the disaster. Here are a few common, but potentially dangerous assumptions, that were made by the rail company and are often heard in the emergency response and business continuity arena:

We've trained our staff in all safety procedures. The rail engineer in the Lac Megantic disaster received training. Despite this, he did not conduct a proper brake test to ensure the locomotive was secure. The engineer applied 7 handbrakes, yet investigators estimate that the operator should have applied at least 17 brakes to secure the train. Investigations revealed that training, testing and supervision were insufficient. Safety training is important, but regular reviews and testing are just as critical. Management needs to be sure that staff are always following procedures accurately and consistently.

We have written procedures for our staff to follow. In the rail disaster, personnel mislabeled the oil cars with the wrong type of crude oil and did not follow brake procedures. Just because procedures are written down doesn’t mean staff will always follow them. We can learn from the checklist approach used in the airline industry and now adopted in operating rooms as well. Mandatory checklists require the pilot/surgeon to physically check off that required procedures are followed, every time.

We’ve evaluated the situation and decided it’s too costly to fix so we’re going to accept the risk. Eight months before the Lac Mégantic rail disaster the lead locomotive was in for repair. Due to the costs associated with a standard repair and the pressure to return the locomotive to service as quickly as possible, the company took short cuts using an epoxy-like material instead of performing the standard repair. This material caught fire the night of the disaster and was a significant contributing factor to the events that led to the derailment. Businesses make cost-benefit decisions everyday but we need to be sure we’re fully recognizing all the costs. The railway is now in bankruptcy protection because of the event.

We are regulated and regularly inspected so we’re confident that we’re following all required procedures. Prior to the rail disaster, reports documented a pattern of repeat problems. Despite these reports, Transport Canada did not always follow up to ensure the company was addressing the underlying conditions that led to these recurring problems. Lack of oversight left gaps that contributed to the disaster. While many regulations exist, regulators often do not have sufficient resources to verify that companies are following the rules. Do not confuse compliance with safety. Companies need to do their own due diligence.

These are just a few of the excuses we hear companies use to make themselves feel comfortable that they’re meeting safety and business continuity obligations. These are also some of the same issues that led to the Lac Megantic disaster. Don’t assume you are meeting your obligations. Test, retest, and ensure you have tools and plans in place to ensure the safety of your operations.

For most business executives, finding a way to keep their businesses running even in the event of a disaster cannot be overstated. In fact, disaster recovery and business continuity are fast becoming the most important IT conversation that business leaders are having to discuss with their staff as well as train them on the protocols to follow when a disaster strikes. On average, business organizations take 1-9 hours to recover from a disaster. Each hour costs an average of $700,000.

In any disaster recovery procedure, the first few minutes and hours after a business system crashes are extremely crucial. For most enterprises, the rest of the recovery process is determined by how well events unfold in the period immediately after the disaster hits the business process.

Failure to be adequately prepared for a disaster has the potential to wreak havoc on the reputation and financial standing of the organization. What’s more, a poorly managed disaster can scare customers away. A Business Continuity Institute poll conducted by risk experts found that 85% of the people who took part in the survey had concerns that their businesses were at risk of a cyber-attack within a period of 12 months from the time the poll was conducted.

You’ve likely heard the terms before and may have a vague idea of their definition, but how do emergency response, disaster recovery and business continuity really work together during an incident? This blog post will walk you through these phases.

Putting Incident in Context

You are sitting in your office building and the fire alarm goes off. Following health and safety procedures, you head outside and smell smoke. You can see flames coming from the top two floors of the building. The fire department has arrived and is setting up to put the fire out. Your colleagues are moved away from the building, and anyone who is hurt is treated. You are left to wonder when, if ever, you’ll be able to come back to work.

Within three days your IT group has you set up with a laptop so that you can work remotely. You and your colleagues work together online and through conference calls. Eventually, after the damage to the office is fixed, you get a notice that everyone can return to work as normal.

At KingsBridge our primary focus is developing simple and straightforward business continuity software (our flagship tool Shield). However, we also believe strongly that to develop a useful tool, you need to be using it everyday, just like our customers do. To make this happen, we also do consulting – writing plans, exercising plans and performing gap analyses on existing plans. The gap analysis is always an interesting experience because we see how other organizations have structured their business continuity plans. We can receive hundreds of pages of content to perform our analysis. When the documentation arrives, our first thought is often, how do they find anything in here? They must be flipping pages forever to find the content they need when the plan is activated.

Easy plan navigation is critical to writing your business continuity plan. It’s one thing to ensure your plan includes all the critical plan elements and it is kept up to date. It’s quite another to ensure that everyone can find the information that they’re looking for. How do we manage this in Shield? Hyperlinks! [READ MORE...]

Business Continuity plan, or Disaster Recovery plan? How do you know which of these you should be writing for your company? Is there even a difference between the two?

The short answer is yes, there is a difference! And it is not intuitive. Most people hear the words ‘disaster recovery’ and assume that the phrase means ‘recovering from a disaster’. Likewise, ‘business continuity’ sounds like it means ‘continuing with business.’ These terms are often misused because the assumed definitions sound very similar. So let’s set the record straight!

Disaster Recovery Plan

A Disaster Recovery plan is not a plan to recover from a disaster. It is the plan your IT department will follow to bring systems back online in the event of an outage. These outages (what we in the industry call ‘incidents’) can occur in a number of different ways and affect a myriad of components. An outage or incident may be the cause of, or it may lead to, a disaster. If you have ever been sitting at your office desk and your email suddenly stops working, chances are your company experienced an incident. The IT department works madly to get your email back online. Then there is a sigh of relief when it works. And email is just one part of it. Access to the internal network, the different software you use, the phone system, and the internet all fall under Disaster Recovery too.

Mark your calendars! Business Continuity Awareness Week 2017 is next week, May 15 – 19! You may be thinking, “Wow, that’s coming up fast! I’m not ready, I thought I had more time!” Don’t worry! We’re here to help you with some last minute tips and tricks to pull off an educational, forward thinking Business Continuity Awareness Week!

This year’s theme is Cyber Security

The first thing you should know is this; The Business Continuity Institute (BCI) announced this week’s theme as cyber security. In a nutshell, cyber security is made up of the firewalls, technology, processes, etc. that help to protect your business from viruses, attacks, and other wrongful access. Below are a few examples of what you can do to increase its awareness in your organization.

Put up posters

The BCI has six different posters for download on their website – for free. Download some of these posters, print them, and hang them throughout your office. Each poster touches on a different part of cyber security and what your employees can do to stay secure.

It’s no longer acceptable to have simply checked a box indicating that you have a disaster recovery plan, or have performed a disaster recovery exercise within the last year that required significant resource investment and more than 16 weeks to plan for. In today’s always on world, with the severe reputational damage that can be caused by an outage at the forefront, many companies need a validated plan that may be fully executed in a minutes notice. As a result, companies are moving towards designing more proactive strategies to fail between sites on a more frequent basis, running production from the failed over site for an extended period of time to verify operations, then failing back to their original state.

For many companies this may seem to be an almost impossible task; however, the very recent introduction of recovery technology in the form of advanced orchestration, which automates and executes the entire recovery run book from end to end, now provides a single pane of glass to govern the complete process. Many companies are now successfully leveraging these advanced designs to not only successfully orchestrate and validate a fail over, but are gaining valuable insight and documented proof of the results for audit and compliance.

Cloud computing is hardly a new player of the IT world. Its ever-growing market share and popularity within the IT community derives from combining flexible prices with the Always-On Availability of infrastructure resources. It brings out a whole new world of possibilities for your business, while reducing the long-term costs of maintaining your own infrastructure. Yet, despite the obvious cost advantages of moving data to the cloud, pricing is still a top concern, as Veeam discovered from our recent 2016 cloud end-user survey (see chart below).

Are cloud backup and DRaaS affordable?

The answer depends on many factors. A change of mindset is required when thinking about the affordability of cloud-based backup and disaster recovery (DR). Depending on your individual business requirements, cloud backups or even a full Disaster Recovery as a Service (DRaaS) solution can be very affordable, especially considering the money saved in the event of a disaster. The general rule is the lower the recovery time objective (RTO) and recovery point objective (RPO) your business requires, the higher the potential cost.

One of the first things people do when disaster strikes is start communicating. Someone calls 911. Emergency response groups learn and relay important facts about the incident. And people speculate about what happened, why it happened, and what will happen now.

As a business, it is vital to be ready to respond when disasters occur. In order to keep gossip to a minimum and maintain a positive reputation, clear communication about the incident must occur in a timely fashion. This can be hard to do when there is concern over the well being of employees or pressure to provide an explanation about who is responsible. Adding to this stress is that all of the facts may not be known right away, yet communications still need to be sent.

So how does a business take steps to ensure clear, timely communications occur under all of that pressure? This post provides you with a few tips to help you (and your business) communicate effectively in the aftermath of a disaster.

Do you ever use the term, ‘you are creating a tempest in a teapot’? It means, don’t make a big deal out of something that isn’t. Doing a little research, I found other similar phrases I thought were entertaining. They are:

• A storm in a teacup’ – Cicero; or ‘Billows in a ladle’ – translation of Cicero’s writings• A storm in a glass of water’ – Netherland• Tempest in a potty’ – Hungary• A storm in a wash-hand basin’, or ‘A storm in a cream bowl’ – England

Of course my seven year old loved the ‘tempest in a potty’. Anyway, something these phrases all have in common is “business impact analysis”. Surprised? Let me explain.

We get asked a lot of questions about how any one company can possibly plan for all of the different incidents they could experience. It’s a good question. There are many variations of complexity to incidents that can make the task of planning for them all feel overwhelming. Fires start small, and can grow and spread. Tornadoes might cause minor damage to the warehouse, or take out the entire structure. One employee gets sick with the flu, and suddenly a third of the workforce is unable to come to work.

While discussing this problem with a friend of KingsBridge BCP recently, they had the perfect example to illustrate this point. This person works for a natural gas company, and their story goes like this:

There was a bad thunderstorm happening in an urban area adjacent to an electrical tower. Lightning from the storm struck the tower. The good news is that the tower had a ground wire. The bad news is that the ground wire ran down into the ground next to the end of a metal corrugated sewer pipe. The surge from the lightning strike ran down into the ground wire and hit the sewer pipe. It was conducted along the length of the sewer pipe until it hit a natural gas pipeline at the other end. This caused a minor explosion that set off a chain reaction to all of the natural gas feeds into the homes and businesses in the nearby vicinity.

Drj.com has thousands of articles that will help you learn more about a disaster recovery plan. We have been in the disaster recovery industry for many years and we have partnered with the world's top experts when it comes to business continuity and gathering reliable information on disaster recovery plan templates.